CVE-2026-34927

Vulnerability

CVE-2026-34927 is an origin validation vulnerability in Trend Micro Apex One (on-premise, versions below 17079) and Apex One as a Service / Vision One Standard Endpoint Protection (SEP) (agent builds below 14.0.20731) [1]. The vulnerability resides in the security agent component and is reachable when an attacker has already achieved low-privilege code execution on the target Windows system.

Exploitation

To exploit CVE-2026-34927, an attacker must first gain the ability to execute low-privileged code on the target system [1]. From there, the attacker can trigger the origin validation flaw to escalate their privileges. No user interaction is required beyond the initial low-privilege foothold. TrendAI has observed at least one active exploitation attempt in the wild [1], indicating that a working exploit exists.

Impact

Successful exploitation allows a local attacker to escalate privileges on the affected installation [1]. This means the attacker can elevate from low-privileged code execution to a higher privilege level, potentially gaining full control of the endpoint.

Mitigation

TrendAI released fixes in Apex One (on-prem) SP1 CP Build 18012 (or SP1 Build 17079 for new installs) with at least agent build 14.0.0.17079, and Apex One as a Service / Vision One SEP agent build 14.0.20731 [1]. Customers should apply the latest available patches immediately. No workarounds are documented; the only mitigation is to update to the fixed versions.